Symptom: a guest scanning a plant fired POST /api/mobile/scans without
a Bearer token, the backend rightfully replied 401, and the apiPost
emitter dispatched 'unauthorized' which AuthContext interpreted as
"session lost" and wiped the local guest, kicking the user back to
Onboarding.
Two fixes:
1. apiGet/apiPost now track whether a Bearer was actually attached
to the request and only emit the 'unauthorized' event when one was
sent. An anonymous 401 stays a plain SERVER error.
2. pushScan() short-circuits if getToken() returns null, so guests
never even hit the network for scan persistence.
Combined effect: guests stay guests, registered users still get
session-revocation feedback when their token is rejected.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Yanis
e34e0db34c